Bug 662366 (CVE-2010-4481) - CVE-2010-4481 phpMyAdmin: information disclosure flaw (PMASA-2010-10)
Summary: CVE-2010-4481 phpMyAdmin: information disclosure flaw (PMASA-2010-10)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-4481
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 662367
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-12 04:26 UTC by Vincent Danen
Modified: 2019-09-29 12:41 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-30 07:14:28 UTC
Embargoed:


Attachments (Terms of Use)

Description Vincent Danen 2010-12-12 04:26:12 UTC
PMASA-2010-10 [1] indicates that unauthenticated users were able to display phpinfo() output if phpMyAdmin was enabled to show it (which is not the default).  The phpinfo.php script incorrectly defined the PMA_MINIMUM_COMMON constant, which is used to skip authentication.  This has been corrected [2] in 3.4.0-beta1.

[1] http://www.phpmyadmin.net/home_page/security/PMASA-2010-10.php
[2] http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=4d9fd005671b05c4d74615d5939ed45e4d019e4c

Comment 1 Vincent Danen 2010-12-12 04:27:41 UTC
Created phpMyAdmin tracking bugs for this issue

Affects: fedora-all [bug 662367]

Comment 2 Robert Scheck 2011-05-29 20:53:37 UTC
May somebody please close this report? phpMyAdmin 3.3.10 is on all active
Fedora and EPEL branches available that have PHP >= 5.2.

Comment 3 Tomas Hoger 2011-05-30 07:14:28 UTC
Robert, feel free to close Security Response product bugs for phpMyAdmin when you're done with them.  I believe you should be able to do that.

phpMyAdmin is currently in Fedora and EPEL and no other product that uses Red Hat bugzilla.

Comment 4 Robert Scheck 2011-05-30 08:36:38 UTC
Tomas, my main problem is that Bugzilla doesn't let me do such actions...sorry.

Comment 5 Kevin Fenzi 2011-06-01 16:42:27 UTC
Robert: You need to make sure your bugzilla email matches up with your fas email in order to have the correct privs. In this case it doesn't, so your current bugzilla account doesn't get the privs. 

If you change your bugzilla email and/or fas account email to match you should be all set. ;)


Note You need to log in before you can comment on or make changes to this bug.